Microsoft Awards $100,000 Security Bounty for Innovative Research

Discovering a security hole in a major program may earn you a few hundreds or thousands of dollars. To claim Microsoft's $100,000 Mitigation Bypass Bounty, you have to discover a whole new realm of exploitation. One researcher has done so.

Many major software companies will pay a "bug bounty" to the first person who reports a particular security hole. Bounty amounts vary, but they can range anywhere from a pat on the back to thousands of dollars. Microsoft's Mitigation Bypass Bounty operates at a distinctly higher level. In order to claim the $100,000 reward, a research must present a brand-new exploitation technique that's effective against the very latest version of Windows. This kind of discovery is quite uncommon, and yet, just three months after announcing this program, Microsoft today made its first $100,000 award.

A History of CooperationI spoke with Katie Moussouris, senior security strategy lead for Microsoft Trustworthy Computing group, about this award and about Microsoft's history of working with researchers and hackers. Moussouris joined about six and a half years ago as a security strategist, but "there was a long history of Microsoft engaging with researchers and hackers, even before my time."

Moussouris gave as an example the researchers who discovered the vulnerability that powered the Blaster worm. "Microsoft senior officials visited them in Poland," she said. "They were recruited... They're still working with us for the past decade."

She noted that Microsoft's regular BlueHat conferences "bring hackers to Microsoft to meet our people, to educate and entertain, and make our products more secure." In 2012, Microsoft's BlueHat Prize contest awarded over $250,000 to three academic researchers who came up with never-before-seen innovations.

Current Bounties "Three months ago we launched three new bounties," said Moussouris, "two of which are still active." During the first 30 days of the Internet Explorer 11 preview, Microsoft offered ordinary bug bounties. "A lot of researchers were holding on, not reporting bugs, waiting for final release," noted Moussouris. "We decided to encourage them to submit those reports." At the end of that program's 30-day run, six researchers had claimed bug bounties totaling over $28,000.

The Mitigation Bypass Bounty specifically rewards researchers who discover a whole new exploitation method. "If we didn't already know about return-oriented programming," said Moussouris, "that discovery would have earned $100,000." It's not just pie-in-the-sky research, either. A researcher who wants to claim this bounty must supply a working proof-of-concept program that demonstrates the exploitation technique.

"There were only three ways an organization could learn about these attacks in the past," noted Moussouris. "First, our internal researchers would come up with something. Second, it would appear in an exploitation contest like Pwn2Own. Third, and worst, it would surface in an active attack." She explained that the current bounty program is available year-round, not just at a competition. "If you're a researcher who wants to play nice, who wants to protect people, there's a bounty available now. You do not have to wait."

And the Winner Is...Moussouris estimates that discoveries big enough to merit a bounty only happen every three years or so. Her team was surprised and pleased to find a worthy recipient just three months after the bounty program began. James Forshaw, Head of Vulnerability Research for UK-based Context Information Security, becomes the first to receive the Mitigation Bypass Bounty.

In an email to SecurityWatch, Forshaw had this to say: "Microsoft's Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence. It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count." Forshaw continued, "To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful."

As for exactly what Forshaw discovered, that won't be revealed right away. The whole point is to give Microsoft time to set up defenses before the bad guys make the same discovery, after all!

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips...
More »